1. Accreditation, Regulation, and HIPAA3
Accreditation, Regulation, and HIPAA

2. Pretest (True/False)
The acronym EPHI stands for protected health information in an electronic format.
Medicare provides healthcare benefits for people who are poor.
Local city and county governments may regulate or license healthcare facilities.

3. Pretest (True/False) (continued)
Providing a patient with a copy of the privacy policy implies authorization for the practice to use PHI for almost anything.
In general, a medical office must track the disclosure of PHI for purposes other than treatment, payment, or office operations and keep the records for at least six years.

4. Accreditation and Regulation
Healthcare facilities and practitioners licensed and regulated by federal, state, and local governments
Voluntary compliance with standards set by recognized accreditation organizations also assist in meeting government requirements

5. Government Regulation
Influences healthcare delivery by:
Requiring licensure of both facilities and their providers
Requiring they meet certain conditions to participate in programs that reimburse them for treating patients
Examples: Medicare, Medicaid

6. CMS
Medicare: provides healthcare coverage for people ages 65+, people with disabilities or end-stage renal disease
Medicaid: provides healthcare benefits (partially paid by the states) for people who are poor, blind, or have disability, pregnant women, and some persons over age 65 (in addition to Medicare

7. Intermediaries Administer Medicare, Medicaid on state level
Contract with CMS to handle claims processing, payments, authorizations, provider inquiries for region or state
Follow rules set by CMS regarding preauthorization, payments, and coverage of medical services

8. Influence of CMS on Healthcare Delivery System
Utilization management (UM)
Quality improvement organizations (QIOs)
Reimbursement rates
Prospective payment system (PPS) and DRGs
Conditions of participation (COP) and deemed status
HIPAA security standards enforcement

9. Other HHS Agencies Related to Healthcare Facilities
Food and Drug Administration (FDA)
Drug Enforcement Agency (DEA)
Centers for Disease Control and Prevention (CDC)
Office of Civil Rights (OCR)

10. State Laws
Provide detailed regulations concerning facility operations, sanitation, medical and nursing staff requirements, patient records
May limit hospital services or require special licenses per department
Require reporting of incidents of infectious diseases, child abuse, certain injuries (gunshots)

11. State Laws (continued)
Require reporting of substantial amount of statistical data concerning birth defects, cancer tumors, patients using facility

12. Deemed Status
Means an accredited facility is deemed to have complied with CMS’s conditions of participation (COP) by virtue of having complied with standards set by another approved organization
Examples: Joint Commission, CAP, CARF

13. Joint Commission Formerly known as JCAHO
Leading accreditation organization for acute care facilities; submit statistical data quarterly
Also accredits long-term, behavioral health, and ambulatory care settings

14. Other Accreditation Organizations
College of American Pathologists (CAP):
Accredits medical laboratories
Operates as CMS authority (has deemed status)

15. Other Accreditation Organizations (continued)
Commission on Accreditation of Rehabilitation Facilities (CARF):
Accredits organizations offering behavioral health, physical, and occupational rehabilitation services, assisted living, continuing care, community services, employment services

16. HIPAA Transactions and Code Sets
First section of implemented regulations
Govern electronic transfer of medical information for business purposes
Example: insurance claims, payments, eligibility
Ensure that electronically exchanged information between systems uses same format

17. HIPAA Transactions
HIPAA standardized formats by requiring specific transaction standards for eight types of electronic data interchange (EDI)
Two additional EDI transactions not yet finalized

18. Ten HIPAA Transactions
Claims or equivalent encounters and coordination of benefits (COB)
Remittance and payment advice
Claims status
Eligibility and benefit inquiry and response
Referral certification and authorization

19. Ten HIPAA Transactions (continued)
Premium payments
Enrollment and de-enrollment in a health plan
Health claims attachments (not final)
First report of injury (not final)
Retail drug claims, coordination of drug benefits, and eligibility inquiries

20. Two Standard Code Sets Required by HIPAA
ICD-9-CM codes for diagnoses (and some inpatient procedures)
CPT-4 and HCPCS codes for outpatient procedures

21. Standards Required for any coded information within a transaction
Examples include codes for:
Sex
Race
Type of provider
Relation of policyholder to patient

22. HIPAA Uniform Identifier Standards
National Provider Identifier (NPI) for doctors, nurses, other healthcare providers
Federal Employer Identification Number for employer-sponsored health insurance
National Health Plan Identifier for each insurance plan and organizations that administer insurance plans

23. HIPAA Privacy Rule
Protects patient’s protected health information (PHI) from unauthorized disclosure or use in any form
Creates foundation of federal protections for privacy of PHI while not replacing more stringent state or federal privacy regulations

24. HIPAA Permits Use of PHI for TPO
Healthcare entity may use/disclose PHI for treatment, payment, healthcare operations
Healthcare provider may disclose PHI about individual as part of payment claim

25. HIPAA Permits Use of PHI for TPO (continued)
Healthcare provider may disclose PHI related to treatment or payment activities of any healthcare provider
Including providers not covered by Privacy Rule

26. Other Uses of PHI Clinical staff may use related to patient care
Nonclinical staff may use related to billing, claims, records-related activities, office or facility operations activities

27. Safeguards to Protect Patient Confidentiality
Speaking quietly when discussing patient’s condition with family members in public area
Avoiding use of patients’ names in public areas
Posting signs to remind employees to protect patient confidentiality

28. Safeguards to Protect Patient Confidentiality (continued)
Isolating or locking file cabinets or records rooms
Providing additional security, such as passwords

29. Medical Office HIPAA Compliance
Providing copy of office privacy policy to patients
Asking patient to acknowledge receiving copy of policy and/or signing consent form
Obtaining signed authorization forms
Tracking PHI disclosures when unrelated to treatment, billing, payment purposes

30. Medical Office HIPAA Compliance (continued)
Adopting clear privacy procedures
Training employees to understand privacy procedures
Designating individual responsible for seeing that privacy procedures are adopted and followed
Securing patient records containing

31. HIPAA Authorization Versus Consent
Authorization requires a form signed by patients or their representatives for each type of PHI disclosure
Consent is inferred from patient’s receipt of a copy of the Privacy Policy and allows provider to share PHI for:
Patient treatment
Obtaining payment
Operation of medical practice or facility

32. Authorization Form Must Include: Date signed Expiration date
To whom information may be disclosed
What is permitted to be disclosed
For what purpose the information may be used

33. Figure 3-4 Sample Authorization Form with elements required by HIPAA.

34. Patients’ Rights
Individuals have right to request and receive report of all disclosures made for purposes other than treatment, payment, operation of healthcare facility
Report must include date, whom information was provided to, description of information, purpose

35. Patients’ Rights (continued)
Individuals may see and obtain copies of their medical records and request corrections if necessary
Facilities must provide access within 30 days of patient’s request, but may charge patients for copying/mailing costs

36. HIM Responsibilities
Ensuring appropriate consent or authorization forms on file
Ensuring requests for release of information occur within time frame of authorization
Ensuring minimum necessary portion of chart sent to patient, disclosure tracked

37. HIM Responsibilities (continued)
Providing patients with copies of records, disclosure reports (within office setting)

38. HIPAA Security Standards
Administrative safeguards
Administrative functions implemented to meet security standards, including assignment or delegation of security responsibility to individual, security training requirements

39. HIPAA Security Standards (continued)
Physical safeguards
Mechanisms required to protect electronic systems, equipment, data from threats, environmental hazards, unauthorized intrusion
Include restricting access to EPHI, retaining off-site computer backups

40. HIPAA Security Standards (continued)
Technical safeguards:
Primarily automated processes used to protect data, control access to data
Include using authentication controls to verify authorization to use computer, encrypting and decrypting data as it is stored and/or transmitted

41. Security Management Process
Risk Analysis: Identify potential security risks, likelihood, seriousness
Risk Management: Decisions about how to address security risks, vulnerabilities and develop strategy to protect confidentiality, integrity, availability of EPHI

42. Security Management Process (continued)
Sanction Policy: Define consequences of failing to comply with security policies, procedures
Information System Activity Review: Regularly review records to determine if any EPHI has been used, disclosed in inappropriate manner

43. Workforce Security Implementation Specifications:
Authorization and/or Supervision
Workforce Clearance Procedure
Termination Procedures

44. Information Access Management Implementation Specifications:
Access Authorization: Organization identifies who has authority to grant access and the process for doing so
Access Establishment and Modification: How access is established and modified
Isolating Healthcare Clearinghouse Functions: Isolation of clearinghouse computers from other systems in organization

45. Security Awareness and Training Implementation Specifications:
Security Reminders
Protection from Malicious Software
Log-in Monitoring
Password Management

46. Other Security Standard Safeguards Include:
Security incident procedures to identify and report security incidents
Contingency plan for recovering access to EPHI
Physical safeguards to protect electronic information systems and related buildings, equipment

47. Other Security Standard Safeguards Include: (continued)
Technical safeguards to protect electronic PHI and control access to it